CUWeb Auth and CUWeb Login 2 0 Identity

CUWeb. Auth and CUWeb. Login 2. 0 Identity Management Team Campus Developers Meeting June 4, 2008

n? C w ut lo ut do R ol Sh s pu am C K 4 C Se U Yo W rv er u A 2 Ar. 0 e P H ro er d e uc tio it rm Pe 2. 0 K 5 A W U C C U W A 2. 0 Al Be ph ta a n om pl et R el e ea se K 5 Migration Project 2008 2009 Dec Jan Feb Mar Apr May Jun Testing Jul Aug Sep Oct Discretionary migration window Nov Dec Jan Feb Buffer Mar Apr May Jun

https: //confluence. cornell. edu/display/CUWAL/Cornell%27 s+CUWeb. Login+Pages

https: //confluence. cornell. edu/display/CUWAL/CUWeb. Auth+2. 0 Documentation

What's New in 2. 0 Kerberos 5 only Open-source GSSAPI Better Security Better Performance Simplified Administration Flexible Authorization Model New POST Data Handling Better Support

Changes for Kerberos 5 Keytabs not Srvtabs Service. ID Self-Service Application n Create your own keytabs n Create your own Service. ID n Delegate authority No More Side. Car No More Legacy CUSSP Library

Open System Documented Standards-based API's Full Source Code Available Localize Porting Customization

Custom Tools Credential Creation & Parsing Permit. G / Grouper lookup

GSSAPI IETF - RFC 2743 C Bindings Java Bindings Wide OS Acceptance

Better Security CUWeb. Login - Kerberos Proxy No Credential Minting Better MITM Attack Prevention

Performance CUWeb. Login 1. 0 n 20 logins/sec per server n Single Server CUWeb. Login 2. 0 n 200+ logins/sec per server n Load Balanced n 4 Servers

Web. Auth Administration Fewer Directives n 26 Directives Obsolete n 5 -6 New Ones Better Logging n Fine Grained n. htaccess Virtual. Host Security Domain

Flexible Authorization (Active Content) New Directives, more than remoteuser… n Allow anonymous access n List group permissions n Pass cuwa-groups to application n How long ago did user login? n Inspect cuwa-auth-time n Pass cuwa-delegated-cred to application

POST Data No More “Click to Continue” POST Data Handled By Web. Auth n Request Data Stays at Website Can Handle Larger POSTs Same Support Apache / IIS

Better Support Apache and IIS – One Code Base 64 -bit clean Thread safe No Name Collisions n Shared Library Compatibility (Unix) Problem with Binary? Rebuilt It! Short List of Binaries Red. Hat, Solaris, Windows Apache 2. 0, 2. 2, IIS 6 Wiki Documentation

Release Schedule Apache Go-Live: Now IIS Go-Live: one month-ish

Q&A Pete Bosanko pb 10@cornell. edu Tom Parker jtp 5@cornell. edu idmgmt@cornell. edu